Polish gh-9597

Steve Riesenberg · Steve Riesenberg · commit df0f6f83af42 · 2021-12-02T17:44:47.000-06:00
diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/ServletApiConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/ServletApiConfigurer.java
@@ -21,7 +21,6 @@
 import javax.servlet.http.HttpServletRequest;
 
 import org.springframework.context.ApplicationContext;
-import org.springframework.security.authentication.AuthenticationDetailsSource;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.AuthenticationTrustResolver;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
@@ -91,11 +90,6 @@ public void configure(H http) {
 		if (trustResolver != null) {
 			this.securityContextRequestFilter.setTrustResolver(trustResolver);
 		}
-		AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource = http
-				.getSharedObject(AuthenticationDetailsSource.class);
-		if (authenticationDetailsSource != null) {
-			this.securityContextRequestFilter.setAuthenticationDetailsSource(authenticationDetailsSource);
-		}
 		ApplicationContext context = http.getSharedObject(ApplicationContext.class);
 		if (context != null) {
 			String[] grantedAuthorityDefaultsBeanNames = context.getBeanNamesForType(GrantedAuthorityDefaults.class);
diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/ServletApiConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/ServletApiConfigurerTests.java
@@ -30,7 +30,6 @@
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.access.AccessDeniedException;
-import org.springframework.security.authentication.AuthenticationDetailsSource;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.AuthenticationTrustResolver;
 import org.springframework.security.authentication.TestingAuthenticationToken;
@@ -150,15 +149,6 @@ public void configureWhenSharedObjectTrustResolverThenTrustResolverUsed() throws
 		verify(SharedTrustResolverConfig.TR, atLeastOnce()).isAnonymous(any());
 	}
 
-	@Test
-	public void configureWhenSharedObjectAuthenticationDetailsSourceThenAuthenticationDetailsSourceUsed() {
-		this.spring.register(SharedAuthenticationDetailsSourceConfig.class).autowire();
-		SecurityContextHolderAwareRequestFilter scaFilter = getFilter(SecurityContextHolderAwareRequestFilter.class);
-		AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource = getFieldValue(scaFilter,
-				"authenticationDetailsSource");
-		assertThat(authenticationDetailsSource).isEqualTo(SharedAuthenticationDetailsSourceConfig.ADS);
-	}
-
 	@Test
 	public void requestWhenServletApiWithDefaultsInLambdaThenUsesDefaultRolePrefix() throws Exception {
 		this.spring.register(ServletApiWithDefaultsInLambdaConfig.class, AdminController.class).autowire();
@@ -331,22 +321,6 @@ protected void configure(HttpSecurity http) {
 
 	}
 
-	@EnableWebSecurity
-	static class SharedAuthenticationDetailsSourceConfig extends WebSecurityConfigurerAdapter {
-
-		@SuppressWarnings("unchecked")
-		static AuthenticationDetailsSource<HttpServletRequest, ?> ADS = spy(AuthenticationDetailsSource.class);
-
-		@Override
-		protected void configure(HttpSecurity http) {
-			// @formatter:off
-			http
-				.setSharedObject(AuthenticationDetailsSource.class, ADS);
-			// @formatter:on
-		}
-
-	}
-
 	@EnableWebSecurity
 	static class ServletApiWithDefaultsInLambdaConfig extends WebSecurityConfigurerAdapter {
 
diff --git a/web/src/main/java/org/springframework/security/web/servletapi/HttpServlet3RequestFactory.java b/web/src/main/java/org/springframework/security/web/servletapi/HttpServlet3RequestFactory.java
@@ -81,7 +81,7 @@ final class HttpServlet3RequestFactory implements HttpServletRequestFactory {
 
 	private AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl();
 
-	private AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource = new WebAuthenticationDetailsSource();
+	private final AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource = new WebAuthenticationDetailsSource();
 
 	private AuthenticationEntryPoint authenticationEntryPoint;
 
@@ -162,18 +162,6 @@ void setTrustResolver(AuthenticationTrustResolver trustResolver) {
 		this.trustResolver = trustResolver;
 	}
 
-	/**
-	 * Sets the {@link AuthenticationDetailsSource} to be used. The default is
-	 * {@link WebAuthenticationDetailsSource}.
-	 * @param authenticationDetailsSource the {@link AuthenticationDetailsSource} to use.
-	 * Cannot be null.
-	 */
-	void setAuthenticationDetailsSource(
-			AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource) {
-		Assert.notNull(authenticationDetailsSource, "authenticationDetailsSource cannot be null");
-		this.authenticationDetailsSource = authenticationDetailsSource;
-	}
-
 	@Override
 	public HttpServletRequest create(HttpServletRequest request, HttpServletResponse response) {
 		return new Servlet3SecurityContextHolderAwareRequestWrapper(request, this.rolePrefix, response);
diff --git a/web/src/main/java/org/springframework/security/web/servletapi/SecurityContextHolderAwareRequestFilter.java b/web/src/main/java/org/springframework/security/web/servletapi/SecurityContextHolderAwareRequestFilter.java
@@ -27,14 +27,12 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
-import org.springframework.security.authentication.AuthenticationDetailsSource;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.AuthenticationTrustResolver;
 import org.springframework.security.authentication.AuthenticationTrustResolverImpl;
 import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.web.AuthenticationEntryPoint;
-import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
 import org.springframework.security.web.authentication.logout.LogoutHandler;
 import org.springframework.util.Assert;
 import org.springframework.web.filter.GenericFilterBean;
@@ -82,8 +80,6 @@ public class SecurityContextHolderAwareRequestFilter extends GenericFilterBean {
 
 	private AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl();
 
-	private AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource = new WebAuthenticationDetailsSource();
-
 	public void setRolePrefix(String rolePrefix) {
 		Assert.notNull(rolePrefix, "Role prefix must not be null");
 		this.rolePrefix = rolePrefix;
@@ -176,23 +172,9 @@ public void setTrustResolver(AuthenticationTrustResolver trustResolver) {
 		updateFactory();
 	}
 
-	/**
-	 * Sets the {@link AuthenticationDetailsSource} to be used. The default is
-	 * {@link WebAuthenticationDetailsSource}.
-	 * @param authenticationDetailsSource the {@link AuthenticationDetailsSource} to use.
-	 * Cannot be null.
-	 */
-	public void setAuthenticationDetailsSource(
-			AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource) {
-		Assert.notNull(authenticationDetailsSource, "authenticationDetailsSource cannot be null");
-		this.authenticationDetailsSource = authenticationDetailsSource;
-		updateFactory();
-	}
-
 	private HttpServletRequestFactory createServlet3Factory(String rolePrefix) {
 		HttpServlet3RequestFactory factory = new HttpServlet3RequestFactory(rolePrefix);
 		factory.setTrustResolver(this.trustResolver);
-		factory.setAuthenticationDetailsSource(this.authenticationDetailsSource);
 		factory.setAuthenticationEntryPoint(this.authenticationEntryPoint);
 		factory.setAuthenticationManager(this.authenticationManager);
 		factory.setLogoutHandlers(this.logoutHandlers);
diff --git a/web/src/test/java/org/springframework/security/web/servletapi/SecurityContextHolderAwareRequestFilterTests.java b/web/src/test/java/org/springframework/security/web/servletapi/SecurityContextHolderAwareRequestFilterTests.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
+ * Copyright 2004, 2005, 2006, 2021 Acegi Technology Pty Limited
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -36,6 +36,7 @@
 
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpServletResponse;
+import org.springframework.mock.web.MockHttpSession;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.security.authentication.TestingAuthenticationToken;
@@ -45,12 +46,14 @@
 import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.web.AuthenticationEntryPoint;
+import org.springframework.security.web.authentication.WebAuthenticationDetails;
 import org.springframework.security.web.authentication.logout.LogoutHandler;
 import org.springframework.test.util.ReflectionTestUtils;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
 import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.anyBoolean;
 import static org.mockito.ArgumentMatchers.anyString;
 import static org.mockito.ArgumentMatchers.eq;
 import static org.mockito.BDDMockito.given;
@@ -59,6 +62,7 @@
 import static org.mockito.Mockito.times;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.verifyZeroInteractions;
+import static org.mockito.Mockito.when;
 
 /**
  * Tests {@link SecurityContextHolderAwareRequestFilter}.
@@ -217,6 +221,27 @@ public void loginNullAuthenticationManagerFail() throws Exception {
 		verifyZeroInteractions(this.authenticationEntryPoint, this.authenticationManager, this.logoutHandler);
 	}
 
+	@Test
+	public void loginWhenHttpServletRequestHasAuthenticationDetailsThenAuthenticationRequestHasDetails()
+			throws Exception {
+		String ipAddress = "10.0.0.100";
+		String sessionId = "session-id";
+		when(this.request.getRemoteAddr()).thenReturn(ipAddress);
+		when(this.request.getSession(anyBoolean())).thenReturn(new MockHttpSession(null, sessionId));
+		wrappedRequest().login("username", "password");
+
+		ArgumentCaptor<UsernamePasswordAuthenticationToken> authenticationCaptor = ArgumentCaptor
+				.forClass(UsernamePasswordAuthenticationToken.class);
+		verify(this.authenticationManager).authenticate(authenticationCaptor.capture());
+
+		UsernamePasswordAuthenticationToken authenticationRequest = authenticationCaptor.getValue();
+		assertThat(authenticationRequest.getDetails()).isInstanceOf(WebAuthenticationDetails.class);
+
+		WebAuthenticationDetails details = (WebAuthenticationDetails) authenticationRequest.getDetails();
+		assertThat(details.getRemoteAddress()).isEqualTo(ipAddress);
+		assertThat(details.getSessionId()).isEqualTo(sessionId);
+	}
+
 	@Test
 	public void logout() throws Exception {
 		TestingAuthenticationToken expectedAuth = new TestingAuthenticationToken("user", "password", "ROLE_USER");
